NTSTATUS NTAPI NewLdrLoadDll(
IN PWCHAR PathToFile OPTIONAL,
IN ULONG *Flags OPTIONAL,
IN UNICODE_STRING *ModuleFileName,
OUT PHANDLE *ModuleHandle)
{
TCHAR tmpPath[MAX_PATH];
lstrcpynW(tmpPath,ModuleFileName->Buffer,ModuleFileName->Length);
printf("[#] ModuleName : %ws\n", tmpPath);
//printf("[#] ModuleName : %wZ\n", *ModuleFileName);
NTSTATUS err=((PFLDRLOADDLL)OrgLdr)(NULL, Flags, ModuleFileName, ModuleHandle);
return err;
}
im currently practicing looking into LdrLoadDll using ahk.
So i trying to get ModuleFileName among LdrLoadDll parameters. To do this, I generally checked with StrGet(ModuleFileName,"UTF-16"),
but I couldn't do it normally, and when I looked up the above c++ code, I found that I had to use the lstrcpynW function separately.
How can I convert the red colored code in the code above to ahk?
c++ strcpynW to Ahk Topic is solved
-
- Posts: 147
- Joined: 05 Nov 2016, 22:42
Re: c++ strcpynW to Ahk
Code: Select all
buffer := NumGet(ModuleFileName, buffer_offset?, "ptr")
StrGet(buffer,"UTF-16")
-
- Posts: 147
- Joined: 05 Nov 2016, 22:42
Re: c++ strcpynW to Ahk
.unfortunately it also doesn't return modulefilename.thqby wrote: ↑22 Sep 2021, 22:45Code: Select all
buffer := NumGet(ModuleFileName, buffer_offset?, "ptr") StrGet(buffer,"UTF-16")
Code: Select all
buffer := NumGet(ModuleFileName, "ptr")
StrGet(buffer,"UTF-16")
Re: c++ strcpynW to Ahk
Get? IN PUNICODE_STRING ModuleFileName is an INput parameter and not an OUTput parameter
ModuleHandle is what you get from this function (OUT PHANDLE ModuleHandle)
ModuleHandle is what you get from this function (OUT PHANDLE ModuleHandle)
[AHK] v2.0.5 | [WIN] 11 Pro (Version 22H2) | [GitHub] Profile
Re: c++ strcpynW to Ahk Topic is solved
Code: Select all
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
Code: Select all
Length := NumGet(ModuleFileName+0, "UShort")
MaximumLength := NumGet(ModuleFileName+2, "UShort")
Buffer := NumGet(ModuleFileName+4, "Ptr")
MsgBox % StrGet(Buffer, Length * 2, "UTF-16")
-
- Posts: 147
- Joined: 05 Nov 2016, 22:42
Re: c++ strcpynW to Ahk
My question was a bit odd. Let me explain more clearly.
When dll injection is performed, the LdrLoadDll function inside ntdll is called.
When the LdrLoadDll function is called, we are trying to get the name of the module to be injected.
Both LoadLibraryW,LoadLibraryExW can import successfully.
But for LdrLoadDll, I didn't get the third parameter, ModuleFileName.
When LdrLoadDll is called, we want to get the name of the module we want to inject (the third parameter, ModuleFileName).
Here is the code I am using. I used minhook.
Code: Select all
setbatchlines -1
NTDLLLdrLoadDll := New MinHook("ntdll.dll", "LdrLoadDll", "NTDLLLdrLoadDll_Hook")
NTDLLLdrLoadDll.Enable()
KernelBaseLoadLibraryW := New MinHook("KERNELBASE.dll", "LoadLibraryW", "KernelBaseLoadLibraryW_Hook")
KernelBaseLoadLibraryW.Enable()
Return
;Failed to get module name. (ntdll.LdrLoadDll)
NTDLLLdrLoadDll_Hook(PathToFile, Flags, ModuleFileName, ModuleHandle) {
global NTDLLLdrLoadDll
buffer1 := NumGet(ModuleHandle, "Ptr")
str1 := StrGet(buffer1,"UTF-16")
fileappend,%str1%`n,c:\str1.txt
msgbox %str1%
return DllCall(NTDLLLdrLoadDll.original, "UPtr", PathToFile, "Uint", Flags, "Ptr", ModuleFileName, "UPTR", ModuleHandle)
}
;can get module name. (KERNELBASE.LoadLibraryW)
KernelBaseLoadLibraryW_Hook(lpLibFileName) {
global KernelBaseLoadLibraryW
thisModule := strget(lpLibFileName,"UTF-16")
fileappend,%thisModule%`n,c:\KernelBaseLoadLibraryW.txt
msgbox %thisModule%
return DllCall(KernelBaseLoadLibraryW.original, "UPTR", lpLibFileName)
}
Return
-
- Posts: 147
- Joined: 05 Nov 2016, 22:42
Re: c++ strcpynW to Ahk
Thank you. This works perfectly. I learned a lot from your answers. Thank you.swagfag wrote: ↑23 Sep 2021, 02:18Code: Select all
typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING, *PUNICODE_STRING;
string may or may not be nullterminated, so u cant just omit the lengthCode: Select all
Length := NumGet(ModuleFileName+0, "UShort") MaximumLength := NumGet(ModuleFileName+2, "UShort") Buffer := NumGet(ModuleFileName+4, "Ptr") MsgBox % StrGet(Buffer, Length * 2, "UTF-16")
Also thank you jNizM for your help.